View
5
Download
0
Category
Preview:
Citation preview
Cyber Security & Insider Threats
January 2018
2© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Agenda— History and Types of Cyber Threats
— Issues Facing Cyber Security
— Cyber Security Trends and the Evolving Threat Landscape
— How do we Organize our Cyber Program?
— Q & A
Forbes Insights and KPMG 2017 Cyber Survey
What would your organization need the most to be more effective in cyber security?
Stronger processes 27%
More technology 22%
Better strategy 21%
Increased funding 19%
Better quality staff 7%
More staff 4%
History and Types of Cyber Threats
4© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
A Brief History of Cyber Threats
•The Internet is a closed off world dominated by academics and hobbyists•“White Hat” and “Black Hat” hackers emerge•Hacking has recreational and educational purposes, but other motivations prevail and the Internet loses some of its innocence
1980s
•In the mid-1990s the Internet starts to reach mainstream consumers•As more businesses come online, sensitive and financial data becomes a criminal commodity. Denial of Service (DoS) attacks emerge
•The first incident of cyber espionage is reported in the late 1990s
1990s
•The Internet becomes a regular part of life for most people and an accepted part of business and government activity
•More sophisticated cyber attacks come online such as financial Trojans and the hijacking of millions of online banking sessions coupled with dramatic increases in data breaches
•The rise of smartphones makes mobile the new frontier of cyber risks•The first allegations of military cyber attacks occur in Estonia (2007) and Georgia (2008)
2000s
•The battle between cyber criminals and cyber security firms reaches maturity•Cyber security is a $75 billion market place•A black market thrives between cyber criminals where high-end exploitation tools can change hands for up to a million dollars
•Cyber criminals cost businesses $400 billion annually•The Internet of Things (IoT) is likely the to become the new cyber battleground
2010 to Present
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
5© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Cyber Risks Today— Businesses today are
confronted by a bewildering variety of cyber attacks. This often makes cyber risks feel overwhelming.
— Analysis shows that attackers tend to be clustered into three main groups, using either “commoditized”, “targeted” or “high-end” approaches to victim selection and exploitation.
Commoditized Attacks
Hundreds of millions of victims
$300–$10,000
High impact
Targeted Attacks
Tens of thousands of victims
$10,000 – $1 million
High impact
High-end Attacks
Dozens of victims
$1 million –$100 million
Extreme impact
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
6© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Commoditized Attack Details
Financial Cost:$300 - $10,000.
Attack Methods:“Spray and pray” techniques, using spam
emails, malicious website “watering holes” that target a group of people from a certain
organization or geography, and criminal infrastructure to leverage vulnerabilities in
often out-of-date software.
Victims:Wide range of individuals and businesses, often via their customers.
Overall Impact:High. Although returns may be relatively low, these economy-of-scale attackers monetize millions of victims and damage many more.
Victim Numbers:Hundreds of millions.
Technical Ability:Generally low. Attackers rely on an assortment
of specialist tools designed by others and available in the online cybercriminal
marketplace.
Attackers:Organized crime groups operating
internationally. Smaller - scale criminals. Hacktivists.
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
7© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Commoditized Attack – Common Tactics
Financial Trojans Commodity Ransomware SQL InjectionDenial of Service Attacks
— Malicious software
— Email attachment or web link delivery
— Allows attackers to hijack and modify a customer’s online banking transactions
— Malware
— Locks victim’s computer or mobile device
— Demands a ransom payment to regain access
— Often uses encryption to lock files forever if the user declines payment
— Disruption to online services
— Overloads networks and servers with attack traffic
— Commonly extortion-based
— Web software
— Allows SQL injection
— Attacker can smuggle commands into databases to destroy or modify company data or passwords
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
8© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Targeted Attack Details
Financial Cost:$10,000 - $1 million.
Attack Methods:Demonstrate an understanding of the industry
they are attacking, including its systems and communications, and often causing significant
business disruption by tailoring the attack to the victim, thus ensuring greater impact and
financial rewards.
Victims:High-net-worth individuals and businesses, often targeted through their supply chains and customers.
Overall Impact:High.
Victim Numbers:Tens of thousands.
Technical Ability:Generally high. Attackers will deploy
customized and targeted attack tools against commercial systems.
Attackers:Organized crime groups operating
internationally.
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
9© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Targeted Attack – Common Tactics
Repurposed Banking Trojans Targeted Ransomware Business Email Compromise Fraud
— Harvests and indexes victim data
— Installs remote access tools
— Allows targeted access to ultra high-net-worth entities’ online devices
— Diversifying to target less mature sectors, including online retail customer accounts
— Also known as CEO fraud
— Misleads financial controllers, treasurers and payment clerks
— Triggers fraudulent payments
— Often pretends to be from CEOs or other senior executives
— Methods rely on social engineering and open-source research of the victims, together with poor email integrity
— Custom ransomware
— Targets critical systems and data stores
— Uses knowledge of commercial system vulnerabilities
— Aims for maximum impact and disruption to ensure large ransom payments from businesses
— Vulnerabilities exist across government and other sectors
— Education and healthcare are currently the targets of choice
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
10© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
High-End Attack Details
Financial Cost:$1 million - $100 million.
Attack Methods:Conceived from a specialist viewpoint with
insider knowledge and understanding. These attackers develop their own custom toolkits to
target software vulnerabilities. While their attacks can sometimes be easily recognized
as the work of a particular group, in many cases the true motivation remains unknown.
Victims:Financial systems and infrastructure, through inside and specialist knowledge.
Overall Impact:Extreme – the damage to reputation and financial costs will permanently affect a business.
Victim Numbers:Dozens.
Technical Ability:Generally high. Attackers will understand the
vulnerabilities and design a customized attack methodology.
Attackers:Often smaller-scale, highly covert, organized
crime groups operating internationally..
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
11© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
High-End Attack – Common Tactics
Breaking into Banks and Financial Systems Disrupting Critical Infrastructure
— Highly lucrative attacks
— Aimed at “weak links”
— Hallmarks of an Advanced Persistent Threat (APT)
— Common euphemism for state-sponsored cyber espionage techniques
— Often aimed at critical national infrastructure
Sources: Lloyd’s, “Closing the Gap: Insuring your Business Against Evolving Cyber Threats” (June 2017)
Issues Facing Information Security
13© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Top 5 IT Issues 20171
2
3
4
5
Information Security
Stronger Policies and Procedures
Data-Informed Decision Making
Strategic Leadership/Governance
Sustainable Funding/Technology Investments
14© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
US Breaches By Industry Sector
3.6%
5.2%
10.1%
30.7%
50.3%
5.9%
5.6%
11.3%
22.6%
54.7%
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%
Banking
Government/Military
Higher Education
Heathcare
Business
Percentage of First Half 2016 vs 2017 Data Breaches
2017 2016
Sources: Identity Theft Resource Center, “At Mid-Year, U.S. Data Breaches Increase at Record Pace” (July 2017)
15© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Value of Sensitive DataSensitive Data is easy to obtain and has a high resale value:
— A stolen medical identity has a $50-$365 street value – more effort to obtain, more value to consumer
— Stolen social security number or credit card number only sells for $1 – high volume available, easy to detect and stop use
— Medical ID theft occurs when one person steals another’s medical information to obtain or pay for health care treatment. According to the World Privacy Foundation, medical identity theft has affected 1.5 million Americans at a cost of more than $30 billion.
— Avi Rubin, Director of the Johns Hopkins University Health and Medical Security Lab, said the healthcare sector was the “absolute worst” in terms of cyber security.
— “Malicious actors want as much intelligence as they can get, and healthcare is the easiest attack surface for seasoned and non-seasoned hackers.” (James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.)
— According to the latest Verizon Data Breach Report, there were 620 data breach incidents in the manufacturing sector in 2016. Hackers largely targeted the manufacturing industry in order to steal trade secrets, business plans and valuable intellectual property.
16© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Audit Committee Research and KPMG
AC Focus Area
55% of Audit Committee respondents feel that they should devote “more time” or “significantly more time” on Cyber for their agenda
Cyber Oversight
50% of Boards have assigned Cyber oversight responsibilities to the Full Board or Audit Committee
Organizations with structured leadership and strategy reduce average per record cost of a breach by $6.59/record lost)
Brand Damage
Loss of customer data can result in reputational risk and organizational brand damage (Companies average $3.32 million in brand damage per breach)
Training & Awareness
Organizations must invest in Cyber training and awareness for All employees, includingC-Level Executives. It only takes One employee opening an email attachment to open the door for cyber criminals
17© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
KPMG’s Healthcare Cyber Security Survey— 80% have reported a breach
in the past 12 months
— 53% of Providers and 66% of Payers consider themselves ready for a cyber attack
— Only 13% say they are tracking attacks every day on their infrastructures.
— 27% do not have a dedicated security leader and 45% do not have any Security Operations Center (SOC) capability
— Our conclusion: Most of the industry is able to identify and react to yesterday’s threats, not the new normal
233 Healthcare Executives (Payers and Providers) surveyed. 44% were Not-for-profit organizations. All had revenue over $500 million, 70% had revenue over $1 Billion.
The top seven causes of information security breaches:
1
2
3
4
5
6
7
Naive end usersLack of security awareness training and accountability
Misconfigurations or human errors
Malicious softwareviruses, worms and trojans
Lost or stolen computersincluding mobile devices
Disgruntled Employees and Contractors
Came into focus of mass media
Insufficient funding of IT and Information Security
18© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
KPMG’s Healthcare Cyber Security Survey
— Of the top seven reported causes of a security breach, five are people or process based.
— According to a recent HIMSS security survey:
The top seven causes of information security breaches:
1
2
3
4
5
6
7
Naive end usersLack of security awareness training and accountability
Misconfigurations or human errors
Malicious softwareviruses, worms and trojans
Lost or stolen computersincluding mobile devices
Disgruntled Employees and Contractors
Came into focus of mass media
Insufficient funding of IT and Information Security
“The greatest security threat to patient data is that it will be compromised by an organization’s staff. Eighty (80) percent of respondents noted that they were concerned that human-related factors would put data at risk. Furthermore, respondents were most likely to indicate the greatest motivator leading to the compromise of data is for workforce members to snoop on co-workers, friends and neighbors patient information“.
Cyber Security Trends and the Evolving Threat Landscape
20© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Current Cyber Security Trends
Extortion-driven attacks and ransomware attempts will increase and will become more threatening (moving in to backups, more theft, etc.)
EMR interoperability will provide larger attack surface, requiring new thinking and solutions, such as blockchain, patient ownership of data, etc.
Widespread use of medical devices and IoT (internet of things) brings a parallel increase in risk
Insider threat will be brought into greater focus as technology improves, allowing visibility into credential abuse
Organizations will focus much more on risks posed by third-party vendors and suppliers
21© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
New Platforms Mean New Threats
More users3.0 billion in 20154.0 billion in 2018
More smartphone connections3.3 billion in 20155.9 billion in 2020
More network traffic72.4 exabytes per month in IP traffic in 2015168.0 exabytes per month in IP traffic in 2019
More IP-connected devices16.3 billion in 201524.4 billion in 2019
More data8.8 zettabytes in 201544.0 zettabytes in 2020 168.0
EB72.4EB
24.4B16.3B
5.9B3.3B4.0B3.0B
44ZB
Sources: McAfee Labs (2015)
22© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Who is Doing It?
Cyber threats are malicious activities carried out via digital means.There are generally 5types of attackers: HACKTIVISTS
— Goals include attacking or disrupting to further a political agenda.
ORGANIZED CRIME— Motivated solely by financial gain.
THE INDIVIDUAL— Motivated by revenge, notoriety, or profit. Can
be either an individual external to the organization or within it.
NATION – STATE— Motivated by improving geopolitical
position or commercial interests.
$
CYBER TERRORISTS— Goals include destroying critical infrastructure to further
a political agenda.
23© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Current Cyber Security LandscapeAdversaries are getting more advanced
The number of endpoints and the amount of sensitive data that needs to be protected is exponentially increasing
The business continues to grow into new digital businesses increasing pressure on IT and security
New cyber regulations continue to challenge organizational focus
Cyber spend is reducing as cyber fatigue sets with the board, which is focused on the reduction of cyber and reputational risk
24© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Do We Have Our Eyes Open?
…There is a growing deficit between how quickly attackers can compromise vs. how quickly organizations can detect and respond. In other words, Attackers are improving faster than defenders…
More than half of organizations say it is
unlikely or highly unlikely that they would be able to
detect a sophisticated attack. (iTreasurer)
Once detected, it can take months to
resolve a breach (Verizon)
Data production will be 44 times greater in 2020 than in 2009 (IDC) making analysis and monitoring even
more difficult
For most companies, it takes over 6 months to even realize they have been breached.
(Ponemon)
Only 31% of organizations discovered they were breached through their own resources - Most entities are informed of a breach by third-parties such as law enforcement, etc. (Mandiant/FireEye)
In recent years, the percentage of
companies affected by a successful
cyberattack is 71% (NetIQ)
In 60% of cases, attackers were able to
compromise an organization within minutes (Verizon)
Just 55% of organizations feel
they have adequate resources for handling
security incidents(KPMG Healthcare
Survey)
25© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Ransomware Attacks— Ransomware attempts increased 4X in 2016 relative to 2015
and expected to double again in 2017 vs. 2016 (SC Magazine)
— 40% of spam email contained ransomware (IBM)
— Healthcare and Financial Services hardest hit Industries due to their dependence on business-critical information (Malwarebytes)
— Ransomware is increasing in popularity and complexity due to its ease of use and profitability for hackers.
— According to a new Healthcare IT News and HIMSS Analytics Quick HIT Survey, about 50% of all hospitals that responded said they suffered from a ransomware attack. Another 25% said they were unsure or had no way of knowing.
— Most business face at least 2 days of downtime but less than 25% of victims actually report it (the Atlantic)
010101010101010101010101011100101000100010001001010101010101010100010010101010110101000101010101010101010101010101010001010010101010111010100101010101000101010101010101010101010110101010000101010100100010101010101101010101010101010101010101010101110010100010001000100101010101010101001010101010010110110110111000100
26© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Recent Events
— Hacker incidents now account for about one-third of the 183 breaches added to the wall of shame so far this year (2016). But they represent about 84 percent of the 12.9 million individuals affected by the breaches added.
— A large credit reporting agency reported that hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers for over 143M consumers.
— 80M records taken from a large Healthcare payer.
— A California University indicated that 80,000 university personnel may be at risk following a cyber attack on a university system storing social security and bank account numbers.
— A Pennsylvania University revealed that hackers had breached an estimated 18,000 student and faculty accounts and an additional 500 research partner accounts. The attack targeted the university’s College of Engineering.
— 400 hospitals billings delayed as clearinghouse hit with ransomware.
— A major accounting and consulting firm reported a major cyber attack that compromised its email system and client records
How do we Organize our Cyber Program?
28© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
The New NormalBased on KPMG’s experience, industries are facing unique challenges. — The evolving threat landscape, where cyber attacks today are more sophisticated and well-
funded given the increased value of the compromised data on the black market.
— Organized criminals are remotely breaking into IT systems, stealing sensitive information for identity theft or fraud.
— The adoption of digital records and the automation of systems
— The ease of distributing sensitive data both internally (laptops, mobile devices, thumb drives) and externally (third parties, Cloud services).
— Shared services, outsourcing, and cloud solutions increase risks for data loss.
29© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Building a Cyber Program with the BusinessOrganizations universally agree: Cyber resource and investment allocations must be balanced between traditional reactive security measures, more proactive business enablement, and advanced sustainability objectives.
Cyber Defense Business Enablement Resilience
Cyber defense includes actions and infrastructure intended to defend the
perimeter.
Business Enablement involves cyber teams working collaboratively with
business owners.
Resilience represents an organizational commitment to cyber maturity.
Building a reliable structure for the business
The building blocks to technology services and cyber security
Data center consolidation New technology & capabilities Integration of acquisitions
email | Internal apps | External apps (cloud) & services
Technology services | Core network | Core OS | (building the foundation to support the business)
Targetoperating
model
Training &awareness
Identity &access
management
Assetmanagement
&data asset
classification
Secure development
& delivery
Incident response
Vulnerability management
Network security
architecture
Privileged access
management
Governance risk &
compliance
Security operations & monitoring
30© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Why Do Organizations Get It Wrong?Themes from organizations that have got it wrong:
— Not linking security to the business strategy— Failing to build in security fundamentals, comprehensive security testing, and asset management creates a
weak foundation — Failing to get the basics right such as configuration and patching – security is additive so new challenges must
be combined to existing challenges— Not keeping up-to-date with the latest threats and evolving their security awareness around it— Not considering global security compliance and regulation— Not completing appropriate third party due diligence— Concentrating too much on prevention of security incidents and not enough on detection of incidents and
appropriate reaction to incidents— Believing that traditional security controls are enough in our organizations. Today’s enhanced security risk
landscape requires intimate and immediate knowledge of threats, assets, and adversaries
— A lack of planning for the unexpected such as a major Crypto or other significant security architecture component failure: the heartbleed vulnerability had been there for years and was a simple two line coding error. There will be others, the only questions are where and when
— Allowing new functions or applications to be written in different programming languages to existing systems, on different machines, by different teams
— Failing to consider sustainable security— Failing to deal with a breach immediately and completely – following a security breach expect a significant
increase in targeting
31© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Cyber Maturity LensesLegal and compliance— Inventory of compliance
requirements— Compliance program components— Role of the audit committee— Litigation inventory— Cyber insurance
Operations and technology— Threat and vulnerability
management— Logical security controls— Physical security controls— Security monitoring — Incident response— Integration with IT service
management
Business continuity and crisis management— Ability to manage cyber event— Financial ramifications and budget— Resources required and training — Detailed plans— Communications — Testing
Information risk management— Risk management approach and
policies— Risk tolerance identification — Risk assessment and measures — Change management— Information sharing— Third party accreditation — Information communication
architecture
Human factors— Training and awareness— Culture— Personnel security measures— Talent management — Organizational roles and
responsibilities
Leadership and governance— Board involvement— Third party supplier relationships— Identification of critical data— Ownership and governance for
data protection— Project management
Board Engagement &
Oversight
32© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Cyber Remediation Plan
33© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Project Charters
34© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Call to Action
— Organizations have to align their security programs to the new threat model— Full attention should be paid to the insider threat as well as the external attacker
New threat model
— Organizations need to assess cyber maturity against a more rigorous standard, not just regulatory compliance
— Integrate cyber security with compliance to drive organization wide initiatives— Stronger reporting structure for the TOM (target operating model) and responsibility to not just the CIO
but also to Compliance and the board
Compliance does not equal cyber maturity
— Organizations have to improve their communications both internally and externally— Integrated cyber security technologies, with strong reporting and monitoring capabilities
Security threats are not confined to your own organization
— We need to invest in cyber security across the paradigm of people, process and technology— Only invest in technology with a measurable plan!— Attend to the basics first, build the right foundation before trying to advance
Increase cyber Investments – In the right order
How do we integrate Cyber into ongoing IA activities?
36© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
IT Internal Audit & Cyber ApproachWhere to Start:
— Use of IT Frameworks- Use of IT frameworks helps to ensure coverage over various IT general and Cyber areas.- Frameworks to assist in determining “what” can be evaluated. - Existing IT frameworks may need additional controls from frameworks such as examples: ISO 27001/2,
NIST 800-53, NIST CSF, Cloud Security Framework, Payment Card Industry Security Standards. - usually a combination of multiple frameworks plus regulatory requirements.
— Update the IT Universe and Risks to Include Cyber- Updating of the risks and universe via ongoing review, continual relationship management, and relationships
with IT including the integration of cyber security solutions and processes— Annual Planning / IT Risk Assessment
- Define as part of your annual defining of risk and audits areas relating to cyber for assessment - Breaking audits into 1) Required audits (SOX, Compliance) 2) Operationally critical testing and risk
assessment input, (consider on a rotation taking into consideration cyber security risk and emerging technology risk), 3) Assurance audits over projects (typically ERP, implementation, major security initiatives)
— Team / Skills to Perform Cyber Audits- Do we have the experience or training in cbyer to perform cyber audits- Use of IT specialist in testing; can be accomplished through IT guest auditor, external resources, and also
consider an approach to use specialist resources and audit generalist for knowledge transfer
37© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Sample IT Risk Framework
38© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Framework - Risk Management Domains
# IT Risk Domains Sample IT Risk Sub-Domains Sample Key Risks
1 IT Strategy & Architecture
— Strategic Mgmt.— Organisation — Architecture Mgmt.
— Emerging/Disruptive Technologies
— Risk and Compliance
— Enterprise architecture not matching the strategic goals of the organization can affect scalability and limit business growth
— Failure to consider current and emerging technologies for product development can affect competitiveness in the marketplace.
2
Portfolio, Programme & Project Management
— Portfolio Mgmt— Programme Mgmt
— Project Mgmt — Lack of a thorough understanding of business needs can impact quality (perceived and actual) of IT services delivered to the business.
— Slow or poor quality delivery of business transformation can affect competitiveness in the marketplace.
3Application Management & SDLC
— Application Management— Coding Standards— Release Mgmt
— SDLC— Testing/QA
— Inconsistent definition or application of SDLC standards across the IT organization can lead to issues in production and impact service delivery to the business
— Failure to consider risk and security within application development practices can increase the likelihood of business disruption from cyber threats.
4Service Delivery/IT Operations
— Capacity Mgmt— Change Mgmt— Configuration Mgmt— Incident Mgmt
— IT Asset Mgmt— Knowledge Mgmt— Patch Mgmt— Problem Mgmt
— Underutilization of IT's capabilities through poor resource allocations, structural inefficiency or strategic misalignment can lead to increased costs and diminished service in operational environment.
— Poor responsiveness to production outages can lead to a loss of revenue and increase operational costs.
5 IT Service Continuity
— Business Continuity — Disaster Recovery
— Systems & Service Availability
— Failure to understand and design for business resilience expectations can increase damages in the event of a disaster
6 Cyber/Information Security
— Application Security— Data Protection— Identity & Access Mgmt
— IP Protection— Physical Security — Vulnerability Mgmt
— Inadequate information security capabilities can expose the enterprise to data loss resulting in financial and reputational loss.
— Lack of data encryption systems, processes and infrastructure can significantly increase the likelihood of losing intellectual property.
7 Data Management
— Data Governance— Big Data
— Data protection & Backup
— Records Management
— Inability to understand and utilize enterprise (Inc. external) data can affect competitiveness in the marketplace.
8 Supplier Management
— Contract Management— Out-sourcing/Off shoring
— Third party (general) — Inadequate definition and enforcement of IT supplier contracts can lead to business disruptions.— Inadequate due diligence performed on third party prior to formal engagement.
9 IT Business Management
— Financial Mgmt— Talent Mgmt — Stakeholder Engagement
& Comms
— Lack of transparency of IT costs, benefits and risk can negatively impact business perception of IT.— Poor customer experience with IT can lead to lower adoption and reduced ROI for businesses.— A lack of mature, comprehensive and effective IT Risk Management framework can lead to a loss of
control over business processes and delivery.
—IT typically organizes delivery through technology domains/towers; adopting a risk-centric lens across each domain, ITIA can audit risks in an organized manner
—Sample IT Risk domains below are based on leading standards such as COBIT, ITIL, NIST and should be tailored to the organization
DRAFT – For Discussion Purposes Only
39© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
IT Audit and IT Risk Universes- Gather systems in the universe and the risks in order to develop the basis for the IT audit program- Both can be gathered from information available via the IT organization as well as interviews and surveys- IT Universe - Some of the best information can be pulled from IT management systems such as
Configuration Management Databases (CMDBs), security tools such as vulnerability scanners, and system management tools like those from ServiceNow or IBM
- IT Risks may also be gathered via Enterprise Risk Management (ERM) processes or Disaster Recover / Business Resiliency planning documents – consider “What Could Go Wrong”
Business Continuity and Disaster Recovery Data Management Data Privacy IT GovernanceBackup and recovery capabilities Accuracy and integrity of data Customer data Application governanceBusiness continuity plans Business intelligence capability Employee personal identifiable information Business process governanceBusiness involvement Data availability Encryption Controls governanceDisaster recovery plans ERP integration Intellectual property protection Demand managementLeadership and ownership of plans Ownership of data Infrastructure governanceRoles and responsibilities Protection of sensitive data Known deficiency remediationThird-party considerations Removable storage Policies and procedures
Unmonitored 3rd party access System selection
IT Asset Management Vendor Management and Sourcing IT Infrastructure Regulatory ComplianceApplication obsolescence Abiding by client standards Infrastructure growth e-DiscoveryData center physical security Appropriate Use of vendors Operating System HIPAAHardware inventory management Counterparty risk Database Local country laws/regulatory and statutory reporting IT purchasing Management of product quality Network architecture Payment cardSoftware asset management Vendor contingency plans System availability Sarbanes-OxleyTechnology obsolescence Vendor health System maintenance
Vendor performance management System software management Vendor secured environment Wireless computing
IT Security IT Strategy and Business Integration Project and Change Management Resource ManagementData and application classification Acquisitions, Divestiture and JVs Controls integration Identification of needed skill setsLogical data center security Application system portfolio Project management and execution Institutional knowledge and key person dependencyPrivileged users Budget and IT investment Project portfolio management IT staff turnoverProvisioning and De-provisioning Emerging technology Significant projects and initiatives Succession planningSegregation of duties IT cost take-out System development lifecycle Training and educationUse of encryption Plant/site closuresVirus protection Shared servicesVulnerability patching Strategic alignment
IT Risk Universe
40© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
IT Framework Aligned to Auditable EntitiesBusiness Capabilities Examples
Sam
ple
Sam
ple
Sam
ple
Cust
omer
Infli
ght E
xper
ien
Sam
ple
Busin
ess P
roce
ssM
arke
ting
Cust
omer
Rel
atio
nshi
p M
aEx
tern
al R
elat
ions
hips
and
Finan
ce
Hum
an R
esou
rce
Man
agem
Info
rmat
ion
Tech
nolo
gyLe
gal
Proc
urem
ent a
nd T
hird
Par
Sale
s
Stra
tegy
and
Auditable Entity(Audit Universe Area)
IT Risk Domain IT Risk Sub-Domain (Auditable Entity)PCI DSS Compliance 2018 2018 2018 2018 2018HIPAA Compliance 2018 2018 2018 2018PII Compliance 2018 2018 2018Other 2018 2018Data Governance 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017Data Quality 2017Data Platform and Architecture 2017Database Operations 2017Big Data - EDW Interface 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017 2017Application Management 2019SDLC 2017Identity & Access Management - Privileged Access 2017Information Security Strategy and Governance 2018Identity & Access Management - IdM Replacement 2017Continuous Security Monitoring 2018Network Infrastructure - Security Review 2017Cyber Incident Response - eEnablement Control 2017Vulnerability Management 2018Strategic Management 2018 2018Risk Management 2017Architecture Management 2019Emerging/Disruptive Technologies - Social Media 2017 2017 2017Emerging/Disruptive Technologies - Cloud 2017 2017 2017 2017 2017Emerging/Disruptive Technologies - Digital Payments 2018 2018 2018 2018 2018 2018 2018 2018 2018
Information/ Cyber Security
IT Strategy and Architecture
Application Management & SDLC
Technology Regulatory Compliance
Data Management
Q & A
42© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
Speaker BiographiesJason Lininger, KPMG IT Audit and AssuranceJason Lininger is a Director in KPMG’s Advisory Services practice with more than 20 years of information technology management experience in the areas of security management, compliance, cyber security, audit, and technology risk. He has a strong background across project and program management of IT risk, regulatory and compliance management, and strategic IT risk management. Jason’s current and past clients include some of the leading entities in the financial services, retail, healthcare, utilities, diversified industrial products, consumer goods, public sector, and insurance industries. Jason has also served as the IT Internal Audit Director for a Fortune 500 organization and was responsible regionally for helping organizations develop their cyber risk management approach as part of a cloud security corporation.
Melissa Lawlor, KPMG Cyber ServicesMelissa is a Manager in KPMG’s Cyber Practice and is part of KPMG’s National HIPAA team where she serves as a National Quality Director for Healthcare Security. Melissa has strong experience in information security and healthcare regulatory compliance. Her expertise includes information security, security program strategy and design, privacy and compliance, cyber security and maturity assessments, and global regulatory standards based risk and security assessments (HIPAA, NIST SP 800-53, 800-30, 800-66, NIST CSF, and ISO 27001/27002).
Michael Briggs, KPMG Cyber ServicesMichael is a Senior Associate in KPMG’s Cyber Security Services practice with experience in information security operations and regulatory compliance. Michael has served on multiple Cyber Security engagements for clients in manufacturing, healthcare, and life sciences. He has assisted with the construction and management of several security operations centers. His expertise includes information security, security program strategy and design, security operations center strategy, design and platform management, cyber security and maturity assessments, and global regulatory standards based risk and security assessments.
Thank you
Melissa Lawlor Manager Advisory, Cyber Security 215-298-4489mlawlor@kpmg.com
Michael BriggsSr. Associate Advisory, Cyber Security 928-606-7041 mjbriggs@kpmg.com
Jason LiningerDirector Advisory, IT Audit and Assurance414-477-6265jlininger@kpmg.com
Recommended